Zero‑Dwell Threat Intelligence Report
A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-12-16 07:07:10 UTC
Executive Overview — What We’re Dealing With
This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.
File
Microsoft Edge.exe
Type
Generic CIL Executable (.NET, Mono, etc.)
SHA‑1
789b71c5f902f68315e898f84506487388bbee0a
MD5
b84918a2eb3aa97b9c1d4b45bbd532fd
First Seen
2025-10-19 13:46:46.615271
Last Analysis
2025-11-04 14:40:28.514316
Dwell Time
0 days, 7 hours, 33 minutes
Extended Dwell Time Impact
For 16+ days, this malware remained undetected — a significant window that allowed the adversary to establish deep persistence, conduct thorough system reconnaissance, escalate privileges, and initiate data collection activities.
Comparative Context
Industry studies report a median dwell time closer to 21–24 days. While this case is below that median, any multi-day dwell time represents meaningful attacker opportunity.
Timeline
| Time (UTC) | Event | Elapsed |
|---|---|---|
| 2025-10-18 22:39:13 UTC | First VirusTotal submission | — |
| 2025-11-08 08:56:38 UTC | Latest analysis snapshot | 20 days, 10 hours, 17 minutes |
| 2025-12-16 07:07:10 UTC | Report generation time | 58 days, 8 hours, 27 minutes |
Why It Matters
Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.
Global Detection Posture — Who Caught It, Who Missed It
VirusTotal engines: 73. Detected as malicious: 59. Missed: 14. Coverage: 80.8%.
Detected Vendors
- Xcitium
- +58 additional vendors (names not provided)
List includes Xcitium plus an additional 58 vendors per the provided summary.
Missed Vendors
- Acronis
- Antiy-AVL
- Baidu
- CMC
- Cynet
- Kingsoft
- NANO-Antivirus
- SUPERAntiSpyware
- tehtris
- Trapmine
- ViRobot
- Webroot
- Yandex
- Zoner
Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.
MITRE ATT&CK Mapping
- T1129 – link function at runtime on Windows
- T1027 – encrypt data using DPAPI
- T1047 – access WMI data in .NET
- T1057 – find process by PID
- T1010 – enumerate gui resources
- T1112 – delete registry key
- T1082 – get MAC address in .NET
- T1027 – encrypt data using Salsa20 or ChaCha
- T1082 – get hostname
- T1027 – reference Base64 string
- T1082 – query environment variable
- T1012 – query or enumerate registry value
- T1140 – decode data using Base64 in .NET
- T1016 – get domain information
- T1083 – check if directory exists
- T1222 – set file attributes
- T1553.005 – bypass Mark of the Web
- T1083 – get common file path
- T1083 – enumerate files in .NET
- T1213 – reference WMI statements
- T1082 – get OS version in .NET
- T1083 – check if file exists
- T1112 – delete registry value
- T1614 – get geographical location
- T1057 – enumerate processes
- T1518 – enumerate processes
- T1213 – reference SQL statements
- T1057 – find process by name
- T1016 – get networking interfaces
- T1033 – get session user name
- T1087 – get session user name
- T1614.001 – get keyboard layout
- T1033 – get session integrity level
- T1012 – query or enumerate registry key
- T1620 – invoke .NET assembly method
- T1027 – encode data using Base64
- T1083 – get file size
- T1053.005 – schedule task via schtasks
- T1056.001 – log keystrokes via polling
- T1555.003 – gather chrome based browser login information
- T1562 – set TCP connection state
- T1082 – get disk information
- T1564 – A process created a hidden window
- T1202 – Uses Windows utilities for basic functionality
- T1202 – Uses suspicious command line tools or Windows utilities
- T1112 – Installs itself for autorun at Windows startup
- T1564.003 – A process created a hidden window
- T1082 – Checks available memory
- T1071 – Reads from the memory of another process
- T1071 – Yara detections observed in process dumps, payloads or dropped files
- T1071 – At least one IP Address, Domain, or File Name was found in a crypto call
- T1071 – Binary file triggered YARA rule
- T1053 – Installs itself for autorun at Windows startup
- T1106 – Guard pages use detected – possible anti-debugging.
- T1129 – The process attempted to dynamically load a malicious function
- T1057 – The process has tried to detect the debugger probing the use of page guards.
- T1129 – The process tried to load dynamically one or more functions.
- T1057 – The process attempted to detect a running debugger using common APIs
- T1071 – The process behaves as a known keylogger (iSpy)
- T1053 – Uses schtasks.exe or at.exe to add and modify task schedules
- T1036 – Drops PE files to the windows directory (C:\\Windows)
- T1036 – Creates files inside the system directory
- T1497 – Allocates memory with a write watch (potentially for evading sandboxes)
- T1562.001 – Creates guard pages, often used to prevent reverse engineering and debugging
- T1564.001 – Hides that the sample has been downloaded from the Internet (zone.identifier)
- T1082 – Queries the volume information (name, serial number etc) of a device
- T1082 – Queries the cryptographic machine GUID
Following the Trail — Network & DNS Activity
Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.
Contacted Domains
| Domain | IP | Country | ASN/Org |
|---|---|---|---|
| anydesks.duckdns.org | 196.159.67.63 | Egypt | Vodafone-Data-Routes |
| www.msftncsi.com | 23.200.3.18 | United States | Akamai Technologies, Inc. |
| www.aieov.com | 76.223.54.146 | United States | Amazon.com, Inc. |
Observed IPs
| IP | Country | ASN/Org |
|---|---|---|
| 224.0.0.252 | — | — |
| 239.255.255.250 | — | — |
| 8.8.4.4 | United States | Google LLC |
| 8.8.8.8 | United States | Google LLC |
| 5.189.132.160 | Germany | Contabo GmbH |
DNS Queries
| Request | Type |
|---|---|
| 5isohu.com | A |
| www.msftncsi.com | A |
| anydesks.duckdns.org | A |
| www.aieov.com | A |
Contacted IPs
| IP | Country | ASN/Org |
|---|---|---|
| 224.0.0.252 | — | — |
| 239.255.255.250 | — | — |
| 8.8.4.4 | United States | Google LLC |
| 8.8.8.8 | United States | Google LLC |
| 5.189.132.160 | Germany | Contabo GmbH |
Port Distribution
| Port | Count | Protocols |
|---|---|---|
| 137 | 1 | udp |
| 5355 | 4 | udp |
| 53 | 62 | udp |
| 3702 | 1 | udp |
UDP Packets
| Source IP | Dest IP | Sport | Dport | Time | Proto |
|---|---|---|---|---|---|
| 192.168.56.13 | 192.168.56.255 | 137 | 137 | 7.488329172134399 | udp |
| 192.168.56.13 | 224.0.0.252 | 49311 | 5355 | 10.206976175308228 | udp |
| 192.168.56.13 | 224.0.0.252 | 55150 | 5355 | 7.419788122177124 | udp |
| 192.168.56.13 | 224.0.0.252 | 60010 | 5355 | 9.146181106567383 | udp |
| 192.168.56.13 | 224.0.0.252 | 63527 | 5355 | 7.443944215774536 | udp |
| 192.168.56.13 | 239.255.255.250 | 52252 | 3702 | 7.446493148803711 | udp |
| 192.168.56.13 | 8.8.4.4 | 50554 | 53 | 131.20620608329773 | udp |
| 192.168.56.13 | 8.8.4.4 | 53518 | 53 | 192.62853002548218 | udp |
| 192.168.56.13 | 8.8.4.4 | 53985 | 53 | 286.5656862258911 | udp |
| 192.168.56.13 | 8.8.4.4 | 54879 | 53 | 22.003931045532227 | udp |
| 192.168.56.13 | 8.8.4.4 | 54881 | 53 | 11.73703908920288 | udp |
| 192.168.56.13 | 8.8.4.4 | 55551 | 53 | 145.65948510169983 | udp |
| 192.168.56.13 | 8.8.4.4 | 55743 | 53 | 273.17507219314575 | udp |
| 192.168.56.13 | 8.8.4.4 | 56086 | 53 | 257.84676218032837 | udp |
| 192.168.56.13 | 8.8.4.4 | 56197 | 53 | 131.30017113685608 | udp |
| 192.168.56.13 | 8.8.4.4 | 56202 | 53 | 367.5184361934662 | udp |
| 192.168.56.13 | 8.8.4.4 | 56908 | 53 | 300.8157970905304 | udp |
| 192.168.56.13 | 8.8.4.4 | 57065 | 53 | 210.8780071735382 | udp |
| 192.168.56.13 | 8.8.4.4 | 57310 | 53 | 69.97187614440918 | udp |
| 192.168.56.13 | 8.8.4.4 | 57415 | 53 | 83.95601105690002 | udp |
| 192.168.56.13 | 8.8.4.4 | 58070 | 53 | 315.1750931739807 | udp |
| 192.168.56.13 | 8.8.4.4 | 58697 | 53 | 36.34697914123535 | udp |
| 192.168.56.13 | 8.8.4.4 | 58920 | 53 | 84.33158612251282 | udp |
| 192.168.56.13 | 8.8.4.4 | 59610 | 53 | 225.73774123191833 | udp |
| 192.168.56.13 | 8.8.4.4 | 60543 | 53 | 178.47218012809753 | udp |
| 192.168.56.13 | 8.8.4.4 | 60780 | 53 | 239.59722113609314 | udp |
| 192.168.56.13 | 8.8.4.4 | 60910 | 53 | 98.69080114364624 | udp |
| 192.168.56.13 | 8.8.4.4 | 61004 | 53 | 163.90935516357422 | udp |
| 192.168.56.13 | 8.8.4.4 | 61800 | 53 | 272.20586609840393 | udp |
| 192.168.56.13 | 8.8.4.4 | 61897 | 53 | 329.5496292114258 | udp |
| 192.168.56.13 | 8.8.4.4 | 62406 | 53 | 7.420697212219238 | udp |
| 192.168.56.13 | 8.8.4.4 | 62422 | 53 | 320.5344660282135 | udp |
| 192.168.56.13 | 8.8.4.4 | 62493 | 53 | 51.721962213516235 | udp |
| 192.168.56.13 | 8.8.4.4 | 62849 | 53 | 37.36228013038635 | udp |
| 192.168.56.13 | 8.8.4.4 | 64533 | 53 | 178.2691512107849 | udp |
| 192.168.56.13 | 8.8.4.4 | 64801 | 53 | 116.94098114967346 | udp |
| 192.168.56.13 | 8.8.4.4 | 64886 | 53 | 225.23753023147583 | udp |
| 192.168.56.13 | 8.8.8.8 | 50554 | 53 | 130.20733308792114 | udp |
| 192.168.56.13 | 8.8.8.8 | 53518 | 53 | 191.629292011261 | udp |
| 192.168.56.13 | 8.8.8.8 | 53985 | 53 | 285.5658690929413 | udp |
| 192.168.56.13 | 8.8.8.8 | 54879 | 53 | 23.003010034561157 | udp |
| 192.168.56.13 | 8.8.8.8 | 54881 | 53 | 12.721992015838623 | udp |
| 192.168.56.13 | 8.8.8.8 | 55551 | 53 | 144.6603331565857 | udp |
| 192.168.56.13 | 8.8.8.8 | 55743 | 53 | 272.1761431694031 | udp |
| 192.168.56.13 | 8.8.8.8 | 56086 | 53 | 256.84717416763306 | udp |
| 192.168.56.13 | 8.8.8.8 | 56197 | 53 | 130.3002851009369 | udp |
| 192.168.56.13 | 8.8.8.8 | 56202 | 53 | 366.51963210105896 | udp |
| 192.168.56.13 | 8.8.8.8 | 56908 | 53 | 299.81684708595276 | udp |
| 192.168.56.13 | 8.8.8.8 | 57065 | 53 | 209.87848019599915 | udp |
| 192.168.56.13 | 8.8.8.8 | 57310 | 53 | 68.97252011299133 | udp |
| 192.168.56.13 | 8.8.8.8 | 57415 | 53 | 82.95704102516174 | udp |
| 192.168.56.13 | 8.8.8.8 | 58070 | 53 | 314.175311088562 | udp |
| 192.168.56.13 | 8.8.8.8 | 58697 | 53 | 35.34777116775513 | udp |
| 192.168.56.13 | 8.8.8.8 | 58920 | 53 | 83.33198404312134 | udp |
| 192.168.56.13 | 8.8.8.8 | 59610 | 53 | 224.73851013183594 | udp |
| 192.168.56.13 | 8.8.8.8 | 60543 | 53 | 177.47254705429077 | udp |
| 192.168.56.13 | 8.8.8.8 | 60780 | 53 | 238.5972170829773 | udp |
| 192.168.56.13 | 8.8.8.8 | 60910 | 53 | 97.69747114181519 | udp |
| 192.168.56.13 | 8.8.8.8 | 61004 | 53 | 162.91002202033997 | udp |
| 192.168.56.13 | 8.8.8.8 | 61800 | 53 | 271.20678901672363 | udp |
| 192.168.56.13 | 8.8.8.8 | 61897 | 53 | 328.5505030155182 | udp |
| 192.168.56.13 | 8.8.8.8 | 62406 | 53 | 8.40944218635559 | udp |
| 192.168.56.13 | 8.8.8.8 | 62422 | 53 | 319.5349531173706 | udp |
| 192.168.56.13 | 8.8.8.8 | 62493 | 53 | 50.72211408615112 | udp |
| 192.168.56.13 | 8.8.8.8 | 62849 | 53 | 36.36306619644165 | udp |
| 192.168.56.13 | 8.8.8.8 | 64533 | 53 | 177.2690601348877 | udp |
| 192.168.56.13 | 8.8.8.8 | 64801 | 53 | 115.94088315963745 | udp |
| 192.168.56.13 | 8.8.8.8 | 64886 | 53 | 224.23764610290527 | udp |
Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.
Persistence & Policy — Registry and Services
Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.
Registry Opened
325
Registry Set
7
Services Started
0
Services Opened
1
Registry Opened (Top 25)
| Key |
|---|
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseSafeSynchronousClose |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7\Name |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallationType |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.37!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseHttpPipeliningAndBufferPooling |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\79\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName |
| HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\.NETFramework\XML |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Microsoft Edge.exe |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0 |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.UseStrictIPv6AddressParsing |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\AllowAllUriEncodingExpansion |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.42!7\Name |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.37!7\Name |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs |
| HKEY_LOCAL_MACHINE\Software\Classes |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseSafeSynchronousClose |
| HKEY_CURRENT_USER\Software\Microsoft\.NETFramework |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\79\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7 |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\79\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7\Name |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseStrictRfcInterimResponseHandling |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseRyuJIT |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.37!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\ |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\79\52C64B7E |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto |
Show all (325 total)
| Key |
|---|
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.42!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7\Name |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowAllUriEncodingExpansion |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\AllowDangerousUnicodeDecompositions |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\79\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.92.1.1!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseStrictRfcInterimResponseHandling |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.92.1.1!7\Name |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseHttpPipeliningAndBufferPooling |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\79\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.92.1.1!7 |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\79\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7\Name |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7 |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseStrictIPv6AddressParsing |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Microsoft Edge.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\XML |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\79\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.42!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowDangerousUnicodeDecompositions |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\79\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions |
| Policy\Standards |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\UseLegacyIdentityFormat |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Transactions__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.IdentityModel.Selectors__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ObjectLimit |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\CacheLocation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Net.Http__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Messaging__b03f5f7f11d50a3a |
| HKEY_CLASSES_ROOT\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\0x0 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\Latest |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DisableMSIPeek |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.DirectoryServices__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Microsoft.Transactions.Bridge__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\default |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\MUI_Dlt |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Web.ApplicationServices__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\TZI |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards\v4.0.30319 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\UseRyuJIT |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.SMDiagnostics__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.ServiceModel.Internals__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.IdentityModel__b77a5c561934e089 |
| System\CurrentControlSet\Control\SecurityProviders\Schannel\UserContextListCount |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\Dynamic DST |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\0x0 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\index9 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgManagedDebugger |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\FeatureSIMD |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.SMDiagnostics__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
| HKEY_CURRENT_USER\Software\Microsoft\.NETFramework\Policy\Standards |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\CLRLoadLogDir |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity |
| HKEY_CLASSES_ROOT\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LoggingLevel |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\ForceLog |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\0x0 |
| HKEY_CLASSES_ROOT\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Transactions__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseRetryAttempts |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Messaging__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\LegacyWPADSupport |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\HillClimbing_TargetSignalToNoiseRatio |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.ServiceModel__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogResourceBinds |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\IdentifierLimit |
| HKEY_CLASSES_ROOT\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\0x0 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Web.ApplicationServices__31bf3856ad364e35 |
| System\CurrentControlSet\Control\SecurityProviders\Schannel\UserContextLockCount |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.ServiceModel__b77a5c561934e089 |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ContextLimit |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Web.Services__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Web.Services__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Microsoft.Transactions.Bridge__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xaml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.EnterpriseServices__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4270068108-2931534202-3907561125-1001 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\MUI_Display |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.IdentityModel__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogFailures |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.IdentityModel.Selectors__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.ServiceProcess__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.DurableInstancing__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.ServiceModel.Internals__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.DurableInstancing__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\EnableLog |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xaml__b77a5c561934e089 |
| SOFTWARE\Microsoft\Cryptography\AutoEnrollment\Debug |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\OnlyUseLatestCLR |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DownloadCacheQuotaInKB |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.EnterpriseServices__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DisableConfigCache |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.ServiceProcess__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.DirectoryServices__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\MUI_Std |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ProcessID |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\v4.0 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Net.Http__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\InstallRoot |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\DESHashSessionKeyBackward |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PropertyBag |
| \REGISTRY\USER |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.AllowFullDomainLiterals |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\ |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PropertyBag |
| HKEY_LOCAL_MACHINE\System\Setup |
| HKEY_CURRENT_USER\Software\Microsoft\Fusion |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Ole |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display |
| HKEY_USERS.DEFAULT |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Microsoft Edge.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\policy\standards\v4.0.30319 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PropertyBag |
| HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\policy\v4.0 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced |
| HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089 |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\32\52C64B7E |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Wow64\x86\xtajit |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Offload |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.FinishProxyTunnelConnectionEarly |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089 |
| HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\FeatureDevelopmentProperties |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schtasks.exe |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1070296143-2877979003-364783958-1001 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\ECCParameters |
Registry Set (Top 25)
| Key | Value |
|---|---|
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E348179A-2A68-48FE-B87C-F65957C73862}\DynamicInfo | — |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E348179A-2A68-48FE-B87C-F65957C73862}\Hash | — |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E348179A-2A68-48FE-B87C-F65957C73862}\Path | — |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E348179A-2A68-48FE-B87C-F65957C73862}\Triggers | — |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft Edge\Id | — |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft Edge\Index | — |
| HKEY_USERS\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefile | Binary Data |
Services Started (Top 15)
Services Opened (Top 15)
| Service |
|---|
| dnsCache |
What To Do Now — Practical Defense Playbook
- Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
- EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
- Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
- Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
- Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.
Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.